FTC Seeks Feedback on the Health Data Breach Notification Rule

The Federal Trade Commission is seeking feedback from healthcare industry stakeholders about its breach notification requirements for entities that are not covered by the Health Insurance Portability and Accountability Act (HIPAA).

Under HIPAA, covered entities and business associates are required to issue notifications to breach victims within 60 days of the discovery of a breach of protected health information. The FTC’s Health Data Breach Notification Rule requires notifications to be issued by personal health record (PHR) vendors and third-party service providers within the same timeframe if there has been a breach of an individual’s healthcare data.

The review of the rule is standard procedure for the FTC, which conducts reviews of its rules every 10 years to determine if they are still required and if any updates are necessary. In this case, the breach notification rule has hardly been used as there are relatively few PHR vendors and most are actually HIPAA covered entities and are required to comply with the HIPAA Breach Notification Rule.

The FTC publishes details of data breaches of 500 or more records under the rule and in the 10 years that the rule has been in effect, only two notifications of breaches of 500 more records have been received: The hacking of the NoMoreClipboard service that was discovered in May 2015 and affected almost 570,000 individuals and a misdirected email by the software vendor Intuit that was discovered in September 2010 and affected 2,094 individuals. All other notifications the FTC has received were for breaches that affected fewer than 500 individuals.

The rule may currently be little used, but the situation could well change following the release of new interoperability rules by the Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC). Under these rules, application programming interfaces (APIs) must be adopted to give patients easy access to their healthcare records, which can be sent to the health app of the patient’s choosing. These apps are likely to expand use of PHRs and there may be a greater need for the rule in the future.

“The current review is particularly timely due to the explosion of technologies that allow consumers and industry to create, assemble and share collections of personally identifiable information of all types. With respect to individually identifiable health information, consumers are allowing much of this data to be handled or maintained by tech companies whose privacy practices are shrouded in opaque, complex notices that users do not understand,” explained the FTC in a statement.

Specifically, the FTC wants to know if the rule should be changed in light of the increase in use of mobile health applications, virtual assistants providing health services, and other third-party health tools. Comment is sought on whether the timings for notification and methods of reporting breaches are appropriate, if the rule has resulted in under- or over-notification and if there has been an efficient level of notification. Stakeholders have also been asked to comment on whether definitions such as PHR are still appropriate or if they need to be modified to reflect legal, technological, and economical changes.

Several changes have been made recently due to the COVID-19 pandemic, such as an increase in the provision of telehealth services using a wide range of platforms. The FTC has asked for feedback on whether the rule should be updated to take these developments into account.

Comment on the Health Data Breach Notification Rule is being accepted for 90 days from the date of publication in the federal register.